This Week In Security: XZ, ATT, And Letters Of Marque

The xz backdoor is naturally still the top story of the week. If you need a refresher, see our previous coverage. As expected, some very talented reverse engineers have gone to work on the code, and we have a much better idea of what the injected payload does.

One of the first findings to note is that the backdoor doesn’t allow a user to log in over SSH. Instead, when an SSH request is signed with the right authentication key, one of the certificate fields is decoded and executed via a system() call. And this makes perfect sense. An SSH login leaves an audit trail, while this backdoor is obviously intended to be silent and secret.

It’s interesting to note that this code made use of both autotools macros, and the GNU ifunc, or Indirect FUNCtions. That’s the nifty feature where a binary can include different versions of a function, each optimized for a different processor instruction set. The right version of the function gets called at runtime. Or in this case, the malicious version of that function gets hooked in to execution by a malicious library. Continue reading “This Week In Security: XZ, ATT, And Letters Of Marque”

Thingiverse Data Leaked — Check Your Passwords

Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.

Aside from the seriousness of a leak in itself, the choice of encryption should raise a few eyebrows. Both SHA-1 and bcrypt can be considered broken or at best vulnerable to attack here in 2021, so much so that for any website to have avoided migration to a stronger algorithm indicates a very poor attention to website security on the part of Thingiverse. We’d like to think that it would serve as a salutary warning to other website operators in our field, to review and upgrade their encryption, but we suspect readers will agree that this won’t be the last time we report on such a leak and nervously check our own login details.